rkerberos 0.1.0

data/ext/rkerberos/rkerberos.h

@@ -0,0 +1,95 @@
+#ifndef KRB5_AUTH_H_INCLUDED
+#define KRB5_AUTH_H_INCLUDED
+
+#include <ruby.h>
+#include <krb5.h>
+#include <string.h>
+
+#ifdef HAVE_KADM5_ADMIN_H
+#include <kadm5/admin.h>
+#endif
+
+// Function Prototypes
+void Init_context();
+void Init_kadm5();
+void Init_config();
+void Init_policy();
+void Init_principal();
+void Init_keytab();
+void Init_keytab_entry();
+void Init_ccache();
+
+// Defined in rkerberos.c
+VALUE rb_hash_aref2(VALUE, char*);
+
+// Variable declarations
+extern VALUE mKerberos;
+extern VALUE cKrb5;
+extern VALUE cKrb5CCache;
+extern VALUE cKrb5Context;
+extern VALUE cKrb5Keytab;
+extern VALUE cKrb5KtEntry;
+extern VALUE cKrb5Exception;
+extern VALUE cKrb5Principal;
+extern VALUE cKadm5;
+extern VALUE cKadm5Config;
+extern VALUE cKadm5Exception;
+extern VALUE cKadm5Policy;
+
+// Kerberos::Krb5
+typedef struct {
+  krb5_context ctx;
+  krb5_creds creds;
+  krb5_principal princ;
+  krb5_keytab keytab;
+} RUBY_KRB5;
+
+// Kerberos::Context
+typedef struct {
+  krb5_context ctx;
+  krb5_enctype etypes;
+} RUBY_KRB5_CONTEXT;
+
+// Kerberos::Kadm5
+typedef struct {
+  krb5_context ctx;
+  krb5_principal princ;
+  void* handle;
+} RUBY_KADM5;
+
+// Kerberos::Krb5::Keytab::Entry
+typedef struct {
+  krb5_principal principal;
+  krb5_timestamp timestamp;
+  krb5_kvno vno;
+  krb5_keyblock key;
+} RUBY_KRB5_KT_ENTRY;
+
+// Kerberos::Krb5::Keytab
+typedef struct {
+  krb5_context ctx;
+  krb5_creds creds;
+  krb5_keytab keytab;
+} RUBY_KRB5_KEYTAB;
+
+typedef struct {
+  krb5_context ctx;
+  krb5_principal principal;
+} RUBY_KRB5_PRINC;
+
+typedef struct {
+  krb5_context ctx;
+  krb5_ccache ccache;
+  krb5_principal principal;
+} RUBY_KRB5_CCACHE;
+
+typedef struct {
+  krb5_context ctx;
+  kadm5_config_params config;
+} RUBY_KADM5_CONFIG;
+
+typedef struct {
+  krb5_context ctx;
+  kadm5_policy_ent_rec policy;
+} RUBY_KADM5_POLICY;
+#endif

data/rkerberos.gemspec

@@ -0,0 +1,28 @@
+require 'rubygems'
+
+Gem::Specification.new do |spec|
+  spec.name       = 'rkerberos'
+  spec.version    = '0.1.0'
+  spec.author     = 'Daniel Berger'
+  spec.license    = 'Artistic 2.0'
+  spec.email      = 'djberg96@gmail.com'
+  spec.homepage   = 'http://github.com/djberg96/rkerberos'
+  spec.platform   = Gem::Platform::RUBY
+  spec.summary    = 'A Ruby interface for the the Kerberos library'
+  spec.test_files = Dir['test/test*']
+  spec.extensions = ['ext/rkerberos/extconf.rb']
+  spec.files      = Dir['**/*'].reject{ |f| f.include?('git') || f.include?('tmp') }
+  
+  spec.rubyforge_project = 'rkerberos'
+  spec.extra_rdoc_files  = ['README', 'CHANGES', 'MANIFEST'] + Dir['ext/rkerberos/*.c']
+
+  spec.add_dependency('rake-compiler')
+  
+  spec.add_development_dependency('test-unit', '>= 2.1.0')
+  spec.add_development_dependency('dbi-dbrc', '>= 1.1.6')
+   
+  spec.description = <<-EOF
+    The rkerberos library is an interface for the Kerberos 5 network
+    authentication protocol. It wraps the Kerberos C API.
+  EOF
+end

data/test/test_config.rb

@@ -0,0 +1,129 @@
+########################################################################
+# test_config.rb
+#
+# Test suite for the Kerberos::Kadm5::Config class.
+########################################################################
+require 'rubygems'
+gem 'test-unit'
+
+require 'test/unit'
+require 'rkerberos'
+
+class TC_Kadm5_Config < Test::Unit::TestCase
+  def setup
+    @config = Kerberos::Kadm5::Config.new
+  end
+
+  test "config object is frozen" do
+    assert_true(@config.frozen?)
+  end
+
+  test "realm basic functionality" do
+    assert_respond_to(@config, :realm)
+    assert_kind_of(String, @config.realm)
+  end
+
+  test "kadmind_port basic functionality" do
+    assert_respond_to(@config, :kadmind_port)
+    assert_kind_of(Fixnum, @config.kadmind_port)
+  end
+
+  test "kpasswd_port basic functionality" do
+    assert_respond_to(@config, :kpasswd_port)
+    assert_kind_of(Fixnum, @config.kpasswd_port)
+  end
+
+  test "admin_server basic functionality" do
+    assert_respond_to(@config, :admin_server)
+    assert_kind_of(String, @config.admin_server)
+  end
+
+  test "admin_keytab basic functionality" do
+    assert_respond_to(@config, :admin_keytab)
+    assert_kind_of(String, @config.admin_keytab)
+  end
+
+  test "acl_file basic functionality" do
+    assert_respond_to(@config, :acl_file)
+    assert_kind_of(String, @config.acl_file)
+  end
+
+  test "dict_file basic functionality" do
+    assert_respond_to(@config, :dict_file)
+    assert_kind_of([String, NilClass], @config.dict_file)
+  end
+
+  test "stash_file basic functionality" do
+    assert_respond_to(@config, :stash_file)
+    assert_kind_of([String, NilClass], @config.stash_file)
+  end
+
+  test "mkey_name basic functionality" do
+    assert_respond_to(@config, :mkey_name)
+    assert_kind_of([String, NilClass], @config.mkey_name)
+  end
+
+  test "mkey_from_kbd basic functionality" do
+    assert_respond_to(@config, :mkey_from_kbd)
+    assert_kind_of([Fixnum, NilClass], @config.mkey_from_kbd)
+  end
+
+  test "enctype basic functionality" do
+    assert_respond_to(@config, :enctype)
+    assert_kind_of(Fixnum, @config.enctype)
+  end
+
+  test "max_life basic functionality" do
+    assert_respond_to(@config, :max_life)
+    assert_kind_of([Fixnum, NilClass], @config.max_life)
+  end
+
+  test "max_rlife basic functionality" do
+    assert_respond_to(@config, :max_rlife)
+    assert_kind_of([Fixnum, NilClass], @config.max_rlife)
+  end
+
+  test "expiration basic functionality" do
+    assert_respond_to(@config, :expiration)
+    assert_kind_of([Time, NilClass], @config.expiration)
+  end
+
+  test "kvno basic functionality" do
+    assert_respond_to(@config, :kvno)
+    assert_kind_of([Fixnum, NilClass], @config.kvno)
+  end
+
+  test "iprop_enabled basic functionality" do
+    assert_respond_to(@config, :iprop_enabled)
+    assert_boolean(@config.iprop_enabled)
+  end
+
+  test "iprop_logfile basic functionality" do
+    assert_respond_to(@config, :iprop_logfile)
+    assert_kind_of(String, @config.iprop_logfile)
+  end
+
+  test "iprop_polltime basic functionality" do
+    assert_respond_to(@config, :iprop_poll_time)
+    assert_kind_of(Fixnum, @config.iprop_poll_time)
+  end
+
+  test "iprop_port basic functionality" do
+    assert_respond_to(@config, :iprop_port)
+    assert_kind_of([Fixnum, NilClass], @config.iprop_port)
+  end
+
+  test "num_keysalts basic functionality" do
+    assert_respond_to(@config, :num_keysalts)
+    assert_kind_of(Fixnum, @config.num_keysalts)
+  end
+
+  test "keysalts basic functionality" do
+    assert_respond_to(@config, :keysalts)
+    assert_kind_of(Fixnum, @config.keysalts)
+  end
+
+  def teardown
+    @config = nil
+  end
+end

data/test/test_context.rb

@@ -0,0 +1,33 @@
+########################################################################
+# test_context.rb
+#
+# Test suite for the Kerberos::Krb5::Context class.
+########################################################################
+require 'rubygems'
+gem 'test-unit'
+
+require 'open3'
+require 'test/unit'
+require 'rkerberos'
+
+class TC_Krb5_Context < Test::Unit::TestCase
+  def setup
+    @context = Kerberos::Krb5::Context.new
+  end
+
+  test "close basic functionality" do
+    assert_respond_to(@context, :close)
+    assert_nothing_raised{ @context.close }
+  end
+
+  test "calling close multiple times is harmless" do
+    assert_nothing_raised{ @context.close }
+    assert_nothing_raised{ @context.close }
+    assert_nothing_raised{ @context.close }
+  end
+
+  def teardown
+    @context.close
+    @context = nil
+  end
+end

data/test/test_credentials_cache.rb

@@ -0,0 +1,153 @@
+#######################################################################
+# test_credentials_cache.rb
+#
+# Tests for the Kerberos::Krb5::Credentials class.
+#######################################################################
+require 'rubygems'
+gem 'test-unit'
+
+require 'etc'
+require 'test/unit'
+require 'rkerberos'
+require 'open3'
+require 'tmpdir'
+
+class TC_Krb5_Credentials_Cache < Test::Unit::TestCase
+  def setup
+    @login  = Etc.getlogin
+    @princ  = @login + '@' + Kerberos::Krb5.new.default_realm
+    @cfile  = File.join(Dir.tmpdir, 'krb5cc_' + Etc.getpwnam(@login).uid.to_s)
+    @ccache = nil
+  end
+
+  # Helper method that uses the command line utility for external verification
+  def cache_found
+    found = true
+
+    Open3.popen3('klist') do |stdin, stdout, stderr|
+      found = false unless stderr.gets.nil?
+    end
+
+    found
+  end
+
+  # Constructor
+
+  test "calling constructor with no arguments is legal" do
+    assert_nothing_raised{ @ccache = Kerberos::Krb5::CredentialsCache.new }
+  end
+
+  test "calling constructor with no arguments does not create a cache" do
+    assert_nothing_raised{ @ccache = Kerberos::Krb5::CredentialsCache.new }
+    assert_false(File.exists?(@cfile))
+    assert_false(cache_found)
+  end
+
+  test "calling constructor with a principal argument creates a credentials cache" do
+    assert_nothing_raised{ @ccache = Kerberos::Krb5::CredentialsCache.new(@princ) }
+    assert_true(File.exists?(@cfile))
+    assert_true(cache_found)
+  end
+
+  test "calling constructor with an explicit cache name works as expected" do
+    assert_nothing_raised{ @ccache = Kerberos::Krb5::CredentialsCache.new(@princ, @cfile) }
+    assert_nothing_raised{ @ccache = Kerberos::Krb5::CredentialsCache.new(nil, @cfile) }
+  end
+
+  test "calling constructor with a non string argument raises an error" do
+    assert_raise(TypeError){ Kerberos::Krb5::CredentialsCache.new(true) }
+  end
+
+  test "constructor only accepts up to two arguments" do
+    assert_raise(ArgumentError){ Kerberos::Krb5::CredentialsCache.new(@princ, @cfile, @cfile) }
+  end
+
+  test "close method basic functionality" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_respond_to(@ccache, :close)
+  end
+
+  test "close method does not delete credentials cache" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_nothing_raised{ @ccache.close }
+    assert_true(cache_found)
+  end
+
+  test "calling close multiple times on the same object does not raise an error" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_nothing_raised{ @ccache.close }
+    assert_nothing_raised{ @ccache.close }
+    assert_nothing_raised{ @ccache.close }
+  end
+
+  test "calling a method on a closed object raises an error" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    @ccache.close
+    assert_raise(Kerberos::Krb5::Exception){ @ccache.default_name }
+  end
+
+  test "default_name basic functionality" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_respond_to(@ccache, :default_name)
+    assert_nothing_raised{ @ccache.default_name }
+  end
+
+  test "default_name returns a string" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_kind_of(String, @ccache.default_name)
+  end
+
+  test "primary_principal basic functionality" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_respond_to(@ccache, :primary_principal)
+    assert_nothing_raised{ @ccache.primary_principal }
+  end
+
+  test "primary_principal returns expected results" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_kind_of(String, @ccache.primary_principal)
+    assert_true(@ccache.primary_principal.size > 0)
+    assert_true(@ccache.primary_principal.include?("@"))
+  end
+
+  test "destroy method basic functionality" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_respond_to(@ccache, :destroy)
+  end
+
+  test "destroy method deletes credentials cache" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_nothing_raised{ @ccache.destroy }
+    assert_false(cache_found)
+  end
+
+  test "delete is an alias for destroy" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_respond_to(@ccache, :delete)
+    assert_alias_method(@ccache, :destroy, :delete)
+  end
+
+  test "calling destroy when there is no credentials cache returns false" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new
+    assert_false(@ccache.destroy)
+  end
+
+  test "calling a method on a destroyed object raises an error" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    @ccache.destroy
+    assert_raise(Kerberos::Krb5::Exception){ @ccache.default_name }
+  end
+
+  test "destroy method does not accept any arguments" do
+    @ccache = Kerberos::Krb5::CredentialsCache.new(@princ)
+    assert_raise(ArgumentError){ @ccache.destroy(true) }
+  end
+
+  def teardown
+    @login  = nil
+    @princ  = nil
+    @ccache = nil
+    @cname  = nil
+    Open3.popen3('kdestroy'){ sleep 0.1 } # Ignore errors and wait a tiny bit
+  end
+end

data/test/test_kadm5.rb

@@ -0,0 +1,424 @@
+########################################################################
+# test_kadm5.rb
+#
+# Tests for the Kerberos::Kadm5 class.
+#
+# This test suite requires that you have an entry in your .dbrc file
+# for 'local-kerberos' which includes an admin principal, password and
+# optional $KRB5_CONFIG file.
+#
+# Some keytab tests will fail if your local-kerberos entry is not
+# also in the keytab file.
+########################################################################
+require 'rubygems'
+gem 'test-unit'
+
+require 'test/unit'
+require 'dbi/dbrc'
+require 'rkerberos'
+require 'socket'
+
+class TC_Kerberos_Kadm5 < Test::Unit::TestCase
+  def self.startup
+    @@server = Kerberos::Kadm5::Config.new.admin_server
+    @@info = DBI::DBRC.new('local-kerberos')
+    @@host = Socket.gethostname
+
+    # For local testing the FQDN may or may not be available, so let's assume
+    # that hosts with the same name are on the same domain.
+    if @@server.include?('.') && !@@host.include?('.')
+      @@server = @@server.split('.').first
+    end
+
+    ENV['KRB5_CONFIG'] = @@info.driver || ENV['KRB5_CONFIG'] || '/etc/krb5.conf'
+  end
+
+  def setup
+    @user = @@info.user
+    @pass = @@info.passwd
+    @kadm = nil
+    @princ = nil
+    @policy = nil
+    @test_princ = "zztop"
+    @test_policy = "test_policy"
+
+    @keytab = Kerberos::Krb5::Keytab.new.default_name.split(':').last
+
+    unless File.exists?(@keytab)
+      @keytab = '/etc/krb5.keytab'
+    end
+  end
+
+  test "constructor basic functionality" do
+    assert_respond_to(Kerberos::Kadm5, :new)
+  end
+
+  test "constructor with valid user and password works as expected" do
+    assert_nothing_raised{
+      @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    }
+  end
+
+  test "constructor with valid service works as expected" do
+    assert_nothing_raised{
+      @kadm = Kerberos::Kadm5.new(
+        :principal => @user,
+        :password  => @pass,
+        :service   => "kadmin/admin"
+      )
+    }
+  end
+
+  test "constructor with valid user and default keytab works as expected" do
+    omit_unless(@@host == @@server, "keytab on different host, skipping")
+    omit_unless(File.exists?(@keytab), "default keytab file '#{@keytab}' not found")
+
+    assert_nothing_raised{
+      @kadm = Kerberos::Kadm5.new(:principal => @user, :keytab => true)
+    }
+  end
+
+  test "constructor with valid user and explicit keytab works as expected" do
+    omit_unless(@@host == @@server, "keytab on different host, skipping")
+    omit_unless(File.exists?(@keytab), "keytab file '#{@keytab}' not found")
+
+    assert_nothing_raised{
+      @kadm = Kerberos::Kadm5.new(:principal => @user, :keytab => @keytab)
+    }
+  end
+
+  test "constructor only accepts a hash argument" do
+    assert_raise(TypeError){ Kerberos::Kadm5.new(@user) }
+    assert_raise(TypeError){ Kerberos::Kadm5.new(1) }
+  end
+
+  test "constructor accepts a block and yields itself" do
+    assert_nothing_raised{ Kerberos::Kadm5.new(:principal => @user, :password => @pass){} }
+    Kerberos::Kadm5.new(:principal => @user, :password => @pass){ |kadm5|
+      assert_kind_of(Kerberos::Kadm5, kadm5)
+    }
+  end
+
+  test "principal must be specified" do
+    assert_raise(ArgumentError){ Kerberos::Kadm5.new({}) }
+    assert_raise_message("principal must be specified"){ Kerberos::Kadm5.new({}) }
+  end
+
+  test "principal value must be a string" do
+    assert_raise(TypeError){ Kerberos::Kadm5.new(:principal => 1) }
+  end
+
+  test "password value must be a string" do
+    assert_raise(TypeError){ Kerberos::Kadm5.new(:principal => @user, :password => 1) }
+  end
+
+  test "keytab value must be a string or a boolean" do
+    assert_raise(TypeError){ Kerberos::Kadm5.new(:principal => @user, :keytab => 1) }
+  end
+
+  test "service value must be a string" do
+    assert_raise(TypeError){
+      Kerberos::Kadm5.new(:principal => @user, :password => @pass, :service => 1)
+    }
+  end
+
+  test "an error is raised if an invalid service name is used" do
+    assert_raise(Kerberos::Kadm5::Exception){
+      Kerberos::Kadm5.new(:principal => @user, :password => @pass, :service => 'bogus')
+    }
+  end
+
+  test "an error is raised if both a keytab and a password are provided" do
+    assert_raise(ArgumentError){
+      Kerberos::Kadm5.new(:principal => @user, :keytab => true, :password => "xxx")
+    }
+    assert_raise_message("cannot use both a password and a keytab"){
+      Kerberos::Kadm5.new(:principal => @user, :keytab => true, :password => "xxx")
+    }
+  end
+
+  test "constructor with invalid user or password raises an error" do
+    assert_raise(Kerberos::Kadm5::Exception){
+      Kerberos::Kadm5.new(:principal => @user, :password => 'bogus')
+    }
+    assert_raise(Kerberos::Kadm5::Exception){
+      Kerberos::Kadm5.new(:principal => 'bogus', :password => @pass)
+    }
+  end
+
+  test "constructor with invalid user or password raises a specific error message" do
+    assert_raise_message('kadm5_init_with_password: Incorrect password'){
+      Kerberos::Kadm5.new(:principal => @user, :password => 'bogus')
+    }
+    assert_raise_message('kadm5_init_with_password: Client not found in Kerberos database'){
+      Kerberos::Kadm5.new(:principal => 'bogus', :password => @pass)
+    }
+  end
+
+  test "set_password basic functionality" do
+    @kadm5 = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_respond_to(@kadm5, :set_password)
+  end
+
+  test "set_password requires two arguments" do
+    @kadm5 = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(ArgumentError){ @kadm5.set_password }
+    assert_raise(ArgumentError){ @kadm5.set_password('user') }
+    assert_raise(ArgumentError){ @kadm5.set_password('user', 'xxx', 'yyy') }
+  end
+
+  test "set_password requires string arguments" do
+    @kadm5 = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(TypeError){ @kadm5.set_password('user',2) }
+    assert_raise(TypeError){ @kadm5.set_password(1, 'xxxx') }
+  end
+
+  test "attempting to set the password for an invalid user raises an error" do
+    @kadm5 = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(Kerberos::Kadm5::Exception){ @kadm5.set_password('bogususer', 'xxxyyy') }
+  end
+
+  ### Policy
+
+  test "create_policy basic functionality" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_respond_to(@kadm, :create_policy)
+  end
+
+  test "create_policy accepts a Policy object" do
+    hash = {:name => @test_policy, :min_length => 5, :max_life => 10000, :min_classes => 2}
+    policy = Kerberos::Kadm5::Policy.new(hash)
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.create_policy(policy) }
+  end
+
+  test "create_policy accepts a hash" do
+    hash = {:name => @test_policy, :min_length => 5, :max_life => 10000, :min_classes => 2}
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.create_policy(hash) }
+  end
+
+  test "policy can be found after creation" do
+    hash = {:name => @test_policy, :min_length => 5, :max_life => 10000, :min_classes => 2}
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    @kadm.create_policy(hash)
+    assert_nothing_raised{ @kadm.get_policy(@test_policy) }
+  end
+
+  test "create_policy only accepts one argument" do
+    hash = {:name => @test_policy, :min_length => 5, :max_life => 10000, :min_classes => 2}
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(ArgumentError){ @kadm.create_policy(hash, hash) }
+  end
+
+  test "attempting to create a policy that already exists raises an error" do
+    hash = {:name => @test_policy, :min_length => 5, :max_life => 10000, :min_classes => 2}
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_nothing_raised{ @kadm.create_policy(hash) }
+    assert_raise(Kerberos::Kadm5::Exception){ @kadm.create_policy(hash) }
+  end
+
+  test "delete_policy basic functionality" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_respond_to(@kadm, :delete_policy)
+  end
+
+  test "delete_policy works as expected" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_nothing_raised{ @kadm.create_policy(:name => @test_policy) }
+    assert_nothing_raised{ @kadm.delete_policy(@test_policy) }
+  end
+
+  test "delete_policy takes one argument and only one argument" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(ArgumentError){ @kadm.delete_policy }
+    assert_raise(ArgumentError){ @kadm.delete_policy(@test_policy, @test_policy) }
+  end
+
+  ### Principal
+
+  test "create_principal basic functionality" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_respond_to(@kadm, :create_principal)
+  end
+
+  test "create_principal creates a user as expected" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.create_principal(@test_princ, "changeme") }
+  end
+
+  test "create_principal requires two arguments" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_raise(ArgumentError){ @kadm.create_principal }
+    assert_raise(ArgumentError){ @kadm.create_principal(@user) }
+    assert_raise(ArgumentError){ @kadm.create_principal(@user, @pass, @pass) }
+  end
+
+  test "attempting to create a principal that already exists raises an error" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.create_principal(@test_princ, "changeme") }
+    assert_raise(Kerberos::Kadm5::Exception){ @kadm.create_principal(@test_princ, "changeme") }
+  end
+
+  test "delete_principal basic functionality" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_respond_to(@kadm, :delete_principal)
+  end
+
+  test "delete_principal works as expected" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.create_principal(@test_princ, "changeme") }
+    assert_nothing_raised{ @kadm.delete_principal(@test_princ) }
+  end
+
+  test "delete_principal takes one argument and only one argument" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_raise(ArgumentError){ @kadm.delete_principal }
+    assert_raise(ArgumentError){ @kadm.delete_principal(@user, @pass) }
+  end
+
+  test "find_principal basic functionality" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_respond_to(@kadm, :find_principal)
+  end
+
+  test "find_principal returns a Struct::Principal object if found" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.create_principal(@test_princ, "changeme") }
+    assert_nothing_raised{ @princ = @kadm.find_principal(@test_princ) }
+    assert_kind_of(Kerberos::Krb5::Principal, @princ)
+  end
+
+  test "find_principal returns nil if not found" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nil(@kadm.find_principal('bogus'))
+  end
+
+  test "find_principal requires a string argument" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_raise(TypeError){ @kadm.find_principal(1) }
+  end
+
+  test "find_principal requires one and only one argument" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_raise(ArgumentError){ @kadm.find_principal }
+    assert_raise(ArgumentError){ @kadm.find_principal(@user, @user) }
+  end
+
+  test "generate_random_key basic functionality" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    @kadm.create_principal(@test_princ, "changeme")
+    assert_respond_to(@kadm, :generate_random_key)
+    assert_nothing_raised{ @kadm.generate_random_key(@test_princ) }
+  end
+
+  test "generate_random_key returns the number of keys generated" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    @kadm.create_principal(@test_princ, "changeme")
+    assert_kind_of(Fixnum, @kadm.generate_random_key(@test_princ))
+    assert_true(@kadm.generate_random_key(@test_princ) > 0)
+  end
+
+  test "generate_random_key requires one argument" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(ArgumentError){ @kadm.generate_random_key }
+    assert_raise(ArgumentError){ @kadm.generate_random_key(@test_princ, @test_princ) }
+  end
+
+  test "generate_random_key requires a string argument" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(TypeError){ @kadm.generate_random_key(7) }
+  end
+
+  test "generate_random_key raises an error if the principal cannot be found" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(Kerberos::Kadm5::Exception){ @kadm.generate_random_key('bogus') }
+  end
+
+  test "get_policy basic functionality" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_respond_to(@kadm, :get_policy)
+  end
+
+  test "get_policy returns a Policy object if found" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.create_policy(:name => @test_policy, :min_length => 5) }
+    assert_nothing_raised{ @policy = @kadm.get_policy(@test_policy) }
+    assert_kind_of(Kerberos::Kadm5::Policy, @policy)
+  end
+
+  test "get_principal basic functionality" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_respond_to(@kadm, :get_principal)
+  end
+
+  test "get_principal returns a Struct::Principal object if found" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.create_principal(@test_princ, "changeme") }
+    assert_nothing_raised{ @princ = @kadm.get_principal(@test_princ) }
+    assert_kind_of(Kerberos::Krb5::Principal, @princ)
+  end
+
+  test "get_principal raises an error if not found" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_raise(Kerberos::Kadm5::PrincipalNotFoundException){ @kadm.get_principal('bogus') }
+  end
+
+  test "get_principal requires a string argument" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_raise(TypeError){ @kadm.get_principal(1) }
+  end
+
+  test "get_principal requires one and only one argument" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_raise(ArgumentError){ @kadm.get_principal }
+    assert_raise(ArgumentError){ @kadm.get_principal(@user, @user) }
+  end
+
+  test "close basic functionality" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_respond_to(@kadm, :close)
+    assert_nothing_raised{ @kadm.close }
+  end
+
+  test "calling close multiple times is a no-op" do
+    assert_nothing_raised{ @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass) }
+    assert_nothing_raised{ @kadm.close }
+    assert_nothing_raised{ @kadm.close }
+    assert_nothing_raised{ @kadm.close }
+  end
+
+  test "close does not accept any arguments" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    assert_raise(ArgumentError){ @kadm.close(1) }
+  end
+
+  test "calling close on an already closed object raises an error" do
+    @kadm = Kerberos::Kadm5.new(:principal => @user, :password => @pass)
+    @kadm.create_principal(@test_princ, "changeme")
+    @kadm.close
+
+    assert_raise(Kerberos::Kadm5::Exception){ @kadm.get_principal(@test_princ) }
+    assert_raise_message('no context has been established'){ @kadm.get_principal(@test_princ) }
+  end
+
+  def teardown
+    if @kadm
+      @kadm.delete_principal(@test_princ) rescue nil
+      @kadm.delete_policy(@test_policy) rescue nil
+      @kadm.close
+    end
+
+    @user   = nil
+    @pass   = nil
+    @kadm   = nil
+    @princ  = nil
+    @policy = nil
+  end
+
+  def self.shutdown
+    @@host = nil
+    @@info = nil
+    @@server = nil
+  end
+end